Comment 8 for bug 671190

Nowadays, we don't generally use a custom chroot for bootstrapping; I don't recall any instance in the last two years when this has been necessary. Rather, the chroots for the current development series have a manually-maintained bootstrap archive in their sources.list, which is normally kept empty but can be populated with a handful of packages if need be (or indeed an entire stage-N archive when bootstrapping a new architecture). For more extreme cases we can use devirtualised PPAs of other series or a different selection of pockets to dig ourselves out of holes; the need for that is even rarer.

This is almost good enough, and it's certainly more auditable since packages fetched from the bootstrap archive show up in build logs as such, but it's still not ideal because in theory the bootstrap archive can affect any devel build that happens to be scheduled. However, the modern approach suggests a simpler solution to this problem. How about we add a column to BinaryPackageBuild that's only writeable by launchpad-buildd-admins and that contains an extra sources.list line? This could then be set over the API, either directly (for already-pending builds) or by way of a keyword argument to the retry method, and BinaryPackageBuildBehaviour would include that in the sources.list lines it sends to the builder when dispatching the build. That seems relatively simple and almost elegant to me, and doesn't open any security problems that aren't already present (since buildd-admins can upload modified chroots anyway).